npm - secure-review-extension - Versions diffs - 1.0.0 - Mend

secure-review-extension 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/CHANGELOG.md +9 -0
package/LICENSE +21 -0
package/README.md +304 -0
package/bin/secure-review.js +269 -0
package/extension.js +368 -0
package/media/shield.png +0 -0
package/media/shield.svg +6 -0
package/package.json +323 -0
package/scripts/bootstrap-review-tools.js +54 -0
package/src/code-actions.js +47 -0
package/src/constants.js +20 -0
package/src/diagnostics.js +41 -0
package/src/findings-provider.js +78 -0
package/src/report.js +837 -0
package/src/scanners/bootstrap-tools.js +303 -0
package/src/scanners/dynamic-scan.js +224 -0
package/src/scanners/static-rules.js +497 -0
package/src/scanners/static-scan.js +341 -0
package/src/scanners/tool-integrations.js +666 -0
package/src/scanners/workspace-profile.js +316 -0
package/src/store.js +49 -0
package/src/utils.js +24 -0

package/src/scanners/workspace-profile.js ADDED Viewed

@@ -0,0 +1,316 @@
+const fs = require("node:fs/promises");
+const syncFs = require("node:fs");
+const path = require("node:path");
+let vscode;
+try {
+  vscode = require("vscode");
+} catch {
+  vscode = null;
+}
+const LANGUAGE_BY_EXTENSION = new Map([
+  [".js", "javascript"],
+  [".jsx", "javascript"],
+  [".mjs", "javascript"],
+  [".cjs", "javascript"],
+  [".ts", "typescript"],
+  [".tsx", "typescript"],
+  [".py", "python"],
+  [".java", "java"],
+  [".go", "go"],
+  [".rs", "rust"],
+  [".c", "c"],
+  [".h", "c"],
+  [".cpp", "cpp"],
+  [".cc", "cpp"],
+  [".cxx", "cpp"],
+  [".hpp", "cpp"],
+  [".hh", "cpp"],
+  [".cs", "csharp"],
+  [".php", "php"],
+  [".rb", "ruby"],
+  [".json", "config"],
+  [".yaml", "config"],
+  [".yml", "config"],
+  [".toml", "config"],
+  [".xml", "config"],
+  [".tf", "config"],
+  [".properties", "config"],
+  [".sh", "shell"]
+]);
+const SPECIAL_FILENAMES = new Set([
+  ".env",
+  "Dockerfile",
+  "docker-compose.yml",
+  "docker-compose.yaml",
+  "package.json",
+  "package-lock.json",
+  "pnpm-lock.yaml",
+  "yarn.lock",
+  "requirements.txt",
+  "pyproject.toml",
+  "Pipfile",
+  "poetry.lock",
+  "go.mod",
+  "go.sum",
+  "Cargo.toml",
+  "Cargo.lock",
+  "pom.xml",
+  "build.gradle",
+  "build.gradle.kts",
+  "CMakeLists.txt",
+  "Makefile"
+]);
+async function buildWorkspaceProfile(config) {
+  const workspaceRoot = vscode?.workspace?.workspaceFolders?.[0]?.uri.fsPath;
+  if (!workspaceRoot) {
+    return {
+      workspaceRoot: null,
+      files: [],
+      languages: [],
+      frameworks: [],
+      manifests: {},
+      stats: { totalFiles: 0 }
+    };
+  }
+  const excludeGlobs = config.get("excludeGlobs", []);
+  const maxFiles = config.get("maxFiles", 400);
+  return buildWorkspaceProfileForRoot(workspaceRoot, { excludeGlobs, maxFiles });
+}
+async function buildWorkspaceProfileForRoot(workspaceRoot, options = {}) {
+  const excludeGlobs = options.excludeGlobs || [];
+  const maxFiles = options.maxFiles || 400;
+  const candidatePaths = await walkFiles(workspaceRoot, excludeGlobs, maxFiles);
+  const files = [];
+  for (const fsPath of candidatePaths) {
+    if (!shouldAnalyzeFile(fsPath)) {
+      continue;
+    }
+    const content = await readText(fsPath);
+    if (content === null) {
+      continue;
+    }
+    files.push({
+      fsPath,
+      relativePath: path.relative(workspaceRoot, fsPath).split(path.sep).join("/"),
+      baseName: path.basename(fsPath),
+      ext: path.extname(fsPath).toLowerCase(),
+      content
+    });
+  }
+  const languages = detectLanguages(files);
+  const frameworks = detectFrameworks(files);
+  const manifests = detectManifests(files);
+  return {
+    workspaceRoot,
+    files,
+    languages: [...languages].sort(),
+    frameworks: [...frameworks].sort(),
+    manifests,
+    stats: { totalFiles: files.length }
+  };
+}
+async function walkFiles(workspaceRoot, excludeGlobs, maxFiles) {
+  const results = [];
+  const excluded = buildExclusionMatchers(excludeGlobs);
+  async function visit(currentPath) {
+    if (results.length >= maxFiles) {
+      return;
+    }
+    let entries = [];
+    try {
+      entries = await fs.readdir(currentPath, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (results.length >= maxFiles) {
+        return;
+      }
+      const fullPath = path.join(currentPath, entry.name);
+      const relativePath = path.relative(workspaceRoot, fullPath).split(path.sep).join("/");
+      if (shouldExclude(relativePath, excluded)) {
+        continue;
+      }
+      if (entry.isDirectory()) {
+        await visit(fullPath);
+      } else if (entry.isFile()) {
+        results.push(fullPath);
+      }
+    }
+  }
+  await visit(workspaceRoot);
+  return results;
+}
+function buildExclusionMatchers(excludeGlobs) {
+  return (excludeGlobs || [])
+    .map((glob) => String(glob || ""))
+    .filter(Boolean)
+    .map((glob) => glob
+      .replaceAll("\\", "/")
+      .replace(/^\*\*\//, "")
+      .replace(/\/\*\*$/, "/")
+      .replace(/\*/g, ""));
+}
+function shouldExclude(relativePath, matchers) {
+  const normalized = relativePath.replaceAll("\\", "/");
+  return matchers.some((matcher) => matcher && normalized.includes(matcher));
+}
+function shouldAnalyzeFile(filePath) {
+  const baseName = path.basename(filePath);
+  if (SPECIAL_FILENAMES.has(baseName)) {
+    return true;
+  }
+  const ext = path.extname(filePath).toLowerCase();
+  return LANGUAGE_BY_EXTENSION.has(ext);
+}
+function detectLanguages(files) {
+  const languages = new Set();
+  for (const file of files) {
+    const fromExt = LANGUAGE_BY_EXTENSION.get(file.ext);
+    if (fromExt && fromExt !== "config") {
+      languages.add(fromExt);
+    }
+    if (file.baseName === "Cargo.toml") {
+      languages.add("rust");
+    }
+    if (file.baseName === "go.mod") {
+      languages.add("go");
+    }
+    if (file.baseName === "requirements.txt" || file.baseName === "pyproject.toml" || file.baseName === "Pipfile") {
+      languages.add("python");
+    }
+    if (file.baseName === "pom.xml" || file.baseName === "build.gradle" || file.baseName === "build.gradle.kts") {
+      languages.add("java");
+    }
+    if (file.baseName === "package.json") {
+      languages.add("javascript");
+    }
+    if (file.baseName === "CMakeLists.txt" || file.baseName === "Makefile") {
+      languages.add("c");
+      languages.add("cpp");
+    }
+  }
+  return languages;
+}
+function detectFrameworks(files) {
+  const frameworks = new Set();
+  const packageJsonFile = files.find((file) => file.baseName === "package.json");
+  if (packageJsonFile) {
+    try {
+      const payload = JSON.parse(packageJsonFile.content);
+      const dependencies = {
+        ...(payload.dependencies || {}),
+        ...(payload.devDependencies || {}),
+        ...(payload.peerDependencies || {})
+      };
+      addIfDependency(frameworks, dependencies, "react", "react");
+      addIfDependency(frameworks, dependencies, "next", "nextjs");
+      addIfDependency(frameworks, dependencies, "vue", "vue");
+      addIfDependency(frameworks, dependencies, "@angular/core", "angular");
+      addIfDependency(frameworks, dependencies, "svelte", "svelte");
+      addIfDependency(frameworks, dependencies, "express", "express");
+      addIfDependency(frameworks, dependencies, "@nestjs/core", "nestjs");
+      addIfDependency(frameworks, dependencies, "koa", "koa");
+      addIfDependency(frameworks, dependencies, "fastify", "fastify");
+    } catch {}
+  }
+  for (const file of files) {
+    const lower = file.content.toLowerCase();
+    if (file.baseName === "requirements.txt" || file.baseName === "pyproject.toml") {
+      addIfText(frameworks, lower, "django", "django");
+      addIfText(frameworks, lower, "flask", "flask");
+      addIfText(frameworks, lower, "fastapi", "fastapi");
+    }
+    if (file.baseName === "pom.xml" || file.baseName === "build.gradle" || file.baseName === "build.gradle.kts") {
+      addIfText(frameworks, lower, "spring", "spring");
+      addIfText(frameworks, lower, "quarkus", "quarkus");
+    }
+    if (file.baseName === "go.mod") {
+      addIfText(frameworks, lower, "github.com/gin-gonic/gin", "gin");
+      addIfText(frameworks, lower, "github.com/labstack/echo", "echo");
+      addIfText(frameworks, lower, "github.com/gofiber/fiber", "fiber");
+    }
+    if (file.baseName === "Cargo.toml") {
+      addIfText(frameworks, lower, "actix-web", "actix-web");
+      addIfText(frameworks, lower, "rocket", "rocket");
+      addIfText(frameworks, lower, "axum", "axum");
+    }
+  }
+  return frameworks;
+}
+function detectManifests(files) {
+  const manifestNames = [
+    "package.json",
+    "requirements.txt",
+    "pyproject.toml",
+    "Pipfile",
+    "go.mod",
+    "Cargo.toml",
+    "pom.xml",
+    "build.gradle",
+    "build.gradle.kts",
+    "CMakeLists.txt",
+    "Dockerfile"
+  ];
+  return manifestNames.reduce((accumulator, name) => {
+    accumulator[name] = files.some((file) => file.baseName === name);
+    return accumulator;
+  }, {});
+}
+function addIfDependency(frameworks, dependencies, dependencyName, frameworkName) {
+  if (dependencies[dependencyName]) {
+    frameworks.add(frameworkName);
+  }
+}
+function addIfText(frameworks, haystack, needle, frameworkName) {
+  if (haystack.includes(needle)) {
+    frameworks.add(frameworkName);
+  }
+}
+async function readText(filePath) {
+  try {
+    return await fs.readFile(filePath, "utf8");
+  } catch {
+    return null;
+  }
+}
+module.exports = {
+  buildWorkspaceProfile,
+  buildWorkspaceProfileForRoot
+};

package/src/store.js ADDED Viewed

@@ -0,0 +1,49 @@
+const vscode = require("vscode");
+class FindingsStore {
+  constructor() {
+    this.findings = [];
+    this.ignored = new Set();
+    this.lastRun = null;
+    this._emitter = new vscode.EventEmitter();
+  }
+  get onDidChange() {
+    return this._emitter.event;
+  }
+  getVisibleFindings(minSeverity, severityOrder) {
+    return this.findings.filter((finding) => {
+      if (this.ignored.has(finding.id)) {
+        return false;
+      }
+      return severityOrder[finding.severity] >= severityOrder[minSeverity];
+    });
+  }
+  setFindings(findings) {
+    this.findings = findings;
+    this.lastRun = new Date();
+    this._emitter.fire();
+  }
+  clear() {
+    this.findings = [];
+    this.lastRun = null;
+    this._emitter.fire();
+  }
+  ignore(id) {
+    this.ignored.add(id);
+    this._emitter.fire();
+  }
+  getById(id) {
+    return this.findings.find((finding) => finding.id === id);
+  }
+}
+module.exports = {
+  FindingsStore
+};

package/src/utils.js ADDED Viewed

@@ -0,0 +1,24 @@
+const crypto = require("node:crypto");
+const path = require("node:path");
+function hashFinding(parts) {
+  return crypto.createHash("sha1").update(parts.join("|")).digest("hex").slice(0, 12);
+}
+function toPosixPath(filePath) {
+  return filePath.split(path.sep).join("/");
+}
+function shorten(text, length = 140) {
+  if (!text) {
+    return "";
+  }
+  return text.length > length ? `${text.slice(0, length - 1)}...` : text;
+}
+module.exports = {
+  hashFinding,
+  toPosixPath,
+  shorten
+};